Jenkins LDAP Authentication

Continuing on my journey through centralizing my authentication for a number of services, I come to my Jenkins instance. This was setup recently to handle CI/CD on some of my personal projects, and has been working extremely well on automated build/test/deploy. Since none of the software it supports is going anywhere anytime soon, I decided to add the instance to the grouping of services going to LDAP for authentication. Setting up Jenkins with LDAP is a relatively straight forward process. It requires a few plugins to support it fully (authentication, group based authorization). The difficulty comes in authorization, as the role-based authorization strategy plugin isn’t as well documented as one would hope. It is at least not too hard to work through and works as intended.

Plugins to Use

Continue reading “Jenkins LDAP Authentication”

Portainer LDAP Authentication

On my adventure to centralize authentication around my applications, I have Portainer up next. I use this application to help manage my docker containers and images across my docker swarm cluster and on my unRAID server. Portainer has some basic LDAP authentication capabilities built in for free, and a large amount of capability behind paid services and plugins. For this, I will be using the free capabilities.

Continue reading “Portainer LDAP Authentication”

Grafana LDAP Authentication

In my adventure to add centralized authentication to a portion of my infrastructure, I decided to add Grafana to my list of apps using LDAP. I have had a Grafana/Influx/Telegraf stack up in my infrastructure for a long time and have no intention of removing it, so its a perfect candidate for this treatment.

While Grafana includes some enterprise features for purchase, we will just be using the free features available. These can be used to setup basic authentication for login, and roles based on LDAP groups. This can provide admin, viewer, and editor capabilities. For my instance, I’ll be focusing on a basic admin user, with all other LDAP logins from my server going to the viewer role.

  • Admin
    • Administrator user
  • Editor
    • edit and view dashboards
  • Viewer
    • view dashboards
Continue reading “Grafana LDAP Authentication”

Univention memberOf Attribute Saga

When I initially built the main part of my lab, I wanted to have a Domain Controller for centralized authentication. I decided upon using Univention Corporate Server as my domain controller. I never ended up using it for centralized authentication, though it has been very easy to maintain for a local DNS server to avoid DNS loopback problems with my ISP.

After working with separate accounts on all my services long enough, I decided it would be a good time to move at least some of my core services to use centralized authentication. I spin up and experiment with services often enough that I’ll never have 100% of it centralized, but the frequently used ones can at least be easier to login to without memorizing multiple passwords.

Continue reading “Univention memberOf Attribute Saga”

Fixing the Docker Swarm tasks.db

The Issue: The docker swarm manager node becomes useless after the tasks.db file explodes in size. This can be seen by worker nodes not being able to connect to the swarm, or manager nodes not seeing the other manager.

The Fix: Stop the docker service (service docker stop), delete or move the tasks.db file, start the docker service (service docker start). This seems too simple to be true, but it isn’t, the tasks.db file can be safely removed and regenerated by the docker swarm manager.

WireGuard on Unifi USG

I have been looking around for a good VPN solution to use while traveling recently. I have a few services running at home, that I really don’t want on the internet (OctoPrint, general ssh access etc), but I want to use remotely. I also want a way to secure my connection when I don’t trust the network I’m connecting through.

I had previously set up a L2TP Remote user VPN in the UniFi controller, but it had a few issues.

  • Instability on android (the VPN wouldn’t even show as ‘disconnected’, it would simply stop)
  • Issues when connecting to it from ipv6 cell carriers

I had heard of Wireguard a while ago and have been keeping track of development and their status on integrating with the Linux kernel. It turns out some kind soul has created a deb package to install WireGuard on Vyatta (which is what the USG is based on).

Continue reading “WireGuard on Unifi USG”

Disabling the Aggressive Inspircd Health Check

One of the first application stacks I went to install and setup on my new Raspberry Pi docker cluster was Inspircd/qwebirc/anope. This stack was running originally on a raspberry pi 1b (256MB RAM version). I wanted to move this off the pi1 since it was out of date and would need a complete reinstall to be back to full patch status. However shortly after getting it running in my swarm, I ran into issues.

The IRC server would restart every few hours, sometimes it would restart every 10 minutes or so. I deemed that as unacceptable on my basic setup even for just using it in development of IRC bots.

Continue reading “Disabling the Aggressive Inspircd Health Check”

Automated Stairway Night Lights

I wanted a simple but useful project as my first bit of home automation after getting some CloudFree smart plugs. We have fairy (christmas) lights on our banisters going upstairs that we plug in whenever we want to use them, so why not set them up on the smart plugs and setup an automation to turn them on at night, and turn them off around when we should be going to bed. This seemed like a simple enough project for a first shot at it, and something that we would use.

Goal

  • Stairway lights turn on before sundown
  • Stairway lights turn off around bedtime on weekdays
  • Stairway lights turn off slightly later on weekends
Continue reading “Automated Stairway Night Lights”

CloudFree Tasmota Smart Plug Setup

I’ve wanted to mess about with the whole home automation craze that seems to be going on, but on a fully self-hosted installation (no alexa, no google assistant, my data staying all on my network). After the SelfHosted Podcast mentioned the CloudFree smart plugs, I knew they were the right gear to try out. The smart plugs come from CloudFree which has the plugs pre-flashed with Tasmota.

The quick start guide worked perfectly for the initial setup and getting the smart plugs on my WiFi network. I’ll have that guide below (in case its lost) and continue on with my own instructions for connecting to Home Assistant via MQTT afterwards.

Continue reading “CloudFree Tasmota Smart Plug Setup”

Adding UCS Authentication Account

Adding an account to use in authenticating against the LDAP directory is a simple enough. The process is done all within the LDAP directory GUI from the Domain menu option in UCS. Navigate to the “user” container, and select the add button. Select the type of the account to be a “Simple Authentication Account”, pick a username and password and click add.

  • Domain -> LDAP Directory
  • User Container, Add
  • Type: Simple Authentication Account
  • Username: my-new-auth-account
  • Click Add
  • Profit

This user account can now be used in a service to authenticate against the LDAP server.

Continue reading “Adding UCS Authentication Account”